2019-07-17 20:08:50 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2019-07-17 20:31:04 +00:00
|
|
|
* @copyright Copyright (C) 2005-2010 Keyboard Monkeys Ltd. http://www.kb-m.com
|
2019-07-17 20:08:50 +00:00
|
|
|
* @license http://creativecommons.org/licenses/BSD/ BSD License
|
|
|
|
* @author Keyboard Monkey Ltd
|
|
|
|
* @since CommunityID 0.9
|
|
|
|
* @package CommunityID
|
|
|
|
* @packager Keyboard Monkeys
|
|
|
|
*/
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
class OpenidController extends CommunityID_Controller_Action
|
2019-07-17 20:08:50 +00:00
|
|
|
{
|
2019-07-17 20:16:19 +00:00
|
|
|
protected $_numCols = 1;
|
|
|
|
|
2019-07-17 20:08:50 +00:00
|
|
|
public function providerAction()
|
|
|
|
{
|
2019-07-17 20:16:19 +00:00
|
|
|
$server = $this->_getOpenIdProvider();
|
|
|
|
$request = $server->decodeRequest();
|
|
|
|
$sites = new Model_Sites();
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
if (!$request) {
|
2019-07-17 20:08:50 +00:00
|
|
|
$this->_helper->viewRenderer->setNeverRender(true);
|
2019-07-17 20:19:00 +00:00
|
|
|
$this->_response->setRawHeader('HTTP/1.0 403 Forbidden');
|
2019-07-17 20:16:19 +00:00
|
|
|
Zend_Registry::get('logger')->log("OpenIdController::providerAction: FORBIDDEN", Zend_Log::DEBUG);
|
2019-07-17 20:31:04 +00:00
|
|
|
echo $this->view->translate('Forbidden');
|
2019-07-17 20:16:19 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// association and other transactions, handled automatically by the framework
|
|
|
|
if (!in_array($request->mode, array('checkid_immediate', 'checkid_setup'))) {
|
|
|
|
return $this->_sendResponse($server, $server->handleRequest($request));
|
|
|
|
}
|
|
|
|
|
|
|
|
// can't process immediate requests if user is not logged in
|
|
|
|
if ($request->immediate && $this->user->role == Users_Model_User::ROLE_GUEST) {
|
|
|
|
return $this->_sendResponse($server, $request->answer(false));
|
|
|
|
}
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$trustRoot = $this->_getTrustRoot($request);
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
if ($request->idSelect()) {
|
|
|
|
if ($this->user->role == Users_Model_User::ROLE_GUEST) {
|
|
|
|
$this->_forward('login');
|
|
|
|
} else {
|
2019-07-17 20:31:04 +00:00
|
|
|
if ($sites->isTrusted($this->user, $trustRoot)) {
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->_forward('proceed', null, null, array('allow' => true));
|
2019-07-17 20:31:04 +00:00
|
|
|
} elseif ($sites->isNeverTrusted($this->user, $trustRoot)) {
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->_forward('proceed', null, null, array('allow' => false));
|
|
|
|
} else {
|
|
|
|
if ($request->immediate) {
|
|
|
|
return $this->_sendResponse($server, $request->answer(false));
|
|
|
|
}
|
|
|
|
|
|
|
|
$this->_forward('trust');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (!$request->identity) {
|
|
|
|
die('No identifier sent by OpenID relay');
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($this->user->role == Users_Model_User::ROLE_GUEST) {
|
|
|
|
$this->_forward('login');
|
|
|
|
} else {
|
|
|
|
// user is logged-in already. Check the requested identity is his
|
|
|
|
if ($this->user->openid != $request->identity) {
|
|
|
|
Zend_Auth::getInstance()->clearIdentity();
|
|
|
|
if ($this->immediate) {
|
|
|
|
return $this->_sendResponse($server, $request->answer(false));
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->_forward('login');
|
2019-07-17 20:31:04 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if max_auth_age is requested through the PAPE extension
|
|
|
|
require_once 'libs/Auth/OpenID/PAPE.php';
|
|
|
|
if ($papeRequest = Auth_OpenID_PAPE_Request::fromOpenIDRequest($request)) {
|
|
|
|
$extensionArgs = $papeRequest->getExtensionArgs();
|
|
|
|
if (isset($extensionArgs['max_auth_age'])
|
|
|
|
&& $extensionArgs['max_auth_age'] < $this->user->getSecondsSinceLastLogin())
|
|
|
|
{
|
|
|
|
$this->_forward('login');
|
|
|
|
return;
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
}
|
2019-07-17 20:31:04 +00:00
|
|
|
|
|
|
|
if ($sites->isTrusted($this->user, $trustRoot)) {
|
|
|
|
$this->_forward('proceed', null, null, array('allow' => true));
|
|
|
|
} elseif ($sites->isNeverTrusted($this->user, $trustRoot)) {
|
|
|
|
$this->_forward('proceed', null, null, array('deny' => true));
|
|
|
|
} else {
|
|
|
|
$this->_forward('trust');
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
/**
|
|
|
|
* We don't use the session with the login form to simplify the dynamic appearance of the captcha
|
|
|
|
*/
|
2019-07-17 20:08:50 +00:00
|
|
|
public function loginAction()
|
|
|
|
{
|
2019-07-17 20:16:19 +00:00
|
|
|
$server = $this->_getOpenIdProvider();
|
|
|
|
$request = $server->decodeRequest();
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->view->yubikey = $this->_config->yubikey;
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$authAttempts = new Users_Model_AuthAttempts();
|
|
|
|
$attempt = $authAttempts->get();
|
|
|
|
$this->view->useCaptcha = $attempt && $attempt->surpassedMaxAllowed();
|
|
|
|
$this->view->form = new Form_OpenidLogin(null, $this->view->base, $attempt && $attempt->surpassedMaxAllowed());
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
if ($this->_getParam('invalidCaptcha')) {
|
|
|
|
$this->view->form->captcha->addError($this->view->translate('Captcha value is wrong'));
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($this->_getParam('invalidLogin')) {
|
|
|
|
$this->view->form->addError($this->view->translate('Invalid credentials'));
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($request->idSelect()) {
|
|
|
|
$this->view->identity = false;
|
|
|
|
$this->view->form->openIdIdentity->setRequired(true);
|
|
|
|
} else {
|
|
|
|
$this->view->identity = $request->identity;
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->view->queryString = $this->_queryString();
|
2019-07-17 20:31:04 +00:00
|
|
|
|
|
|
|
if ($this->user->role == Users_Model_User::ROLE_GUEST && @$_COOKIE['image']) {
|
|
|
|
$images = new Users_Model_SigninImages();
|
|
|
|
$this->view->image = $images->getByCookie($_COOKIE['image']);
|
|
|
|
} else {
|
|
|
|
$this->view->image = false;
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
public function authenticateAction()
|
|
|
|
{
|
2019-07-17 20:16:19 +00:00
|
|
|
$server = $this->_getOpenIdProvider();
|
|
|
|
$request = $server->decodeRequest();
|
|
|
|
|
|
|
|
$authAttempts = new Users_Model_AuthAttempts();
|
|
|
|
$attempt = $authAttempts->get();
|
|
|
|
|
|
|
|
$form = new Form_OpenidLogin(null, $this->view->base, $attempt && $attempt->surpassedMaxAllowed());
|
2019-07-17 20:08:50 +00:00
|
|
|
$formData = $this->_request->getPost();
|
|
|
|
$form->populate($formData);
|
|
|
|
|
|
|
|
if (!$form->isValid($formData)) {
|
2019-07-17 20:31:04 +00:00
|
|
|
$formErrors = $form->getErrors();
|
|
|
|
// gotta resort to pass errors as params because we don't use the session here
|
|
|
|
if (@$formErrors['captcha']) {
|
|
|
|
$this->_forward('login', null, null, array('invalidCaptcha' => true));
|
|
|
|
} else {
|
|
|
|
$this->_forward('login');
|
|
|
|
}
|
2019-07-17 20:16:19 +00:00
|
|
|
return;
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$users = new Users_Model_Users();
|
2019-07-17 20:31:04 +00:00
|
|
|
$result = $users->authenticate(
|
|
|
|
$request->idSelect()? $form->getValue('openIdIdentity') : $request->identity,
|
|
|
|
$this->_config->yubikey->enabled && $this->_config->yubikey->force?
|
|
|
|
$form->getValue('yubikey')
|
|
|
|
: $form->getValue('password'),
|
|
|
|
true,
|
|
|
|
$this->view
|
|
|
|
);
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
if ($result) {
|
|
|
|
if ($attempt) {
|
|
|
|
$attempt->delete();
|
|
|
|
}
|
|
|
|
$sites = new Model_Sites();
|
2019-07-17 20:31:04 +00:00
|
|
|
$trustRoot = $this->_getTrustRoot($request);
|
|
|
|
if ($sites->isTrusted($users->getUser(), $trustRoot)) {
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->_forward('proceed', null, null, array('allow' => true));
|
2019-07-17 20:31:04 +00:00
|
|
|
} elseif ($sites->isNeverTrusted($users->getUser(), $trustRoot)) {
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->_forward('proceed', null, null, array('deny' => true));
|
|
|
|
} else {
|
|
|
|
$this->_forward('trust');
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (!$attempt) {
|
|
|
|
$authAttempts->create();
|
|
|
|
} else {
|
|
|
|
$attempt->addFailure();
|
|
|
|
$attempt->save();
|
|
|
|
}
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->_forward('login', null, null, array('invalidLogin' => true));
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
public function trustAction()
|
|
|
|
{
|
|
|
|
$server = $this->_getOpenIdProvider();
|
2019-07-17 20:16:19 +00:00
|
|
|
$request = $server->decodeRequest();
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->view->siteRoot = $this->_getTrustRoot($request);
|
2019-07-17 20:16:19 +00:00
|
|
|
$this->view->identityUrl = $this->user->openid;
|
|
|
|
$this->view->queryString = $this->_queryString();
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->view->showProfileForm = $this->_hasSreg($request);
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
public function proceedAction()
|
2019-07-17 20:08:50 +00:00
|
|
|
{
|
|
|
|
// needed for unit tests
|
|
|
|
$this->_helper->layout->disableLayout();
|
|
|
|
$this->_helper->viewRenderer->setNeverRender(true);
|
|
|
|
|
|
|
|
$server = $this->_getOpenIdProvider();
|
2019-07-17 20:16:19 +00:00
|
|
|
$request = $server->decodeRequest();
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
if ($request->idSelect()) {
|
|
|
|
$id = $this->user->openid;
|
|
|
|
} else {
|
|
|
|
$id = null;
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$response = $request->answer(true, null, $id);
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
if ($this->_hasSreg($request)
|
|
|
|
// profileId will be null if site is already trusted
|
|
|
|
&& $this->_getParam('profileId')) {
|
|
|
|
$profiles = new Users_Model_Profiles();
|
|
|
|
$profile = $profiles->getRowInstance($this->_getParam('profileId'));
|
|
|
|
$personalInfoForm = Users_Form_PersonalInfo::getForm($request, $profile);
|
2019-07-17 20:16:19 +00:00
|
|
|
$formData = $this->_request->getPost();
|
|
|
|
$personalInfoForm->populate($formData);
|
|
|
|
|
|
|
|
// not planning on validating stuff here yet, but I call this
|
|
|
|
// for the date element to be filled properly
|
2019-07-17 20:19:00 +00:00
|
|
|
$foo = $personalInfoForm->isValid($formData);
|
2019-07-17 20:16:19 +00:00
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$sregResponse = Auth_OpenID_SRegResponse::extractResponse(
|
|
|
|
$personalInfoForm->getSregRequest(),
|
2019-07-17 20:16:19 +00:00
|
|
|
$personalInfoForm->getUnqualifiedValues());
|
|
|
|
$sregResponse->toMessage($response->fields);
|
|
|
|
}
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$trustRoot= $this->_getTrustRoot($request);
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
if ($this->_getParam('allow')) {
|
|
|
|
if ($this->_getParam('forever')) {
|
|
|
|
|
|
|
|
$sites = new Model_Sites();
|
2019-07-17 20:31:04 +00:00
|
|
|
$sites->deleteForUserSite($this->user, $trustRoot);
|
2019-07-17 20:16:19 +00:00
|
|
|
|
|
|
|
$siteObj = $sites->createRow();
|
|
|
|
$siteObj->user_id = $this->user->id;
|
2019-07-17 20:31:04 +00:00
|
|
|
$siteObj->site = $trustRoot;
|
2019-07-17 20:16:19 +00:00
|
|
|
$siteObj->creation_date = date('Y-m-d');
|
|
|
|
|
|
|
|
if (isset($personalInfoForm)) {
|
|
|
|
$trusted = array();
|
|
|
|
// using this key name for BC pre 1.1 when we used Zend_OpenId
|
|
|
|
$trusted['Zend_OpenId_Extension_Sreg'] = $personalInfoForm->getUnqualifiedValues();
|
|
|
|
} else {
|
|
|
|
$trusted = true;
|
|
|
|
}
|
|
|
|
$siteObj->trusted = serialize($trusted);
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$siteObj->save();
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->_saveHistory($trustRoot, Model_History::AUTHORIZED);
|
|
|
|
|
|
|
|
require_once 'libs/Auth/OpenID/PAPE.php';
|
|
|
|
if ($papeRequest = Auth_OpenID_PAPE_Request::fromOpenIDRequest($request)) {
|
|
|
|
$this->_processPape($papeRequest, $response);
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
$webresponse = $server->encodeResponse($response);
|
|
|
|
|
|
|
|
foreach ($webresponse->headers as $k => $v) {
|
2019-07-17 20:19:00 +00:00
|
|
|
if ($k == 'location') {
|
|
|
|
$this->_response->setRedirect($v);
|
|
|
|
} else {
|
|
|
|
$this->_response->setHeader($k, $v);
|
|
|
|
}
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:19:00 +00:00
|
|
|
$this->_response->setHeader('Connection', 'close');
|
|
|
|
$this->_response->appendBody($webresponse->body);
|
2019-07-17 20:16:19 +00:00
|
|
|
} elseif ($this->_getParam('deny')) {
|
|
|
|
if ($this->_getParam('forever')) {
|
|
|
|
$sites = new Model_Sites();
|
2019-07-17 20:31:04 +00:00
|
|
|
$sites->deleteForUserSite($this->user, $trustRoot);
|
2019-07-17 20:16:19 +00:00
|
|
|
|
|
|
|
$siteObj = $sites->createRow();
|
|
|
|
$siteObj->user_id = $this->user->id;
|
2019-07-17 20:31:04 +00:00
|
|
|
$siteObj->site = $trustRoot;
|
2019-07-17 20:16:19 +00:00
|
|
|
$siteObj->creation_date = date('Y-m-d');
|
|
|
|
$siteObj->trusted = serialize(false);
|
|
|
|
$siteObj->save();
|
|
|
|
}
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
$this->_saveHistory($trustRoot, Model_History::DENIED);
|
2019-07-17 20:16:19 +00:00
|
|
|
|
2019-07-17 20:19:00 +00:00
|
|
|
return $this->_sendResponse($server, $request->answer(false));
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|
|
|
|
}
|
2019-07-17 20:10:53 +00:00
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
private function _saveHistory($site, $result)
|
|
|
|
{
|
|
|
|
$histories = new Model_Histories();
|
2019-07-17 20:08:50 +00:00
|
|
|
$history = $histories->createRow();
|
|
|
|
$history->user_id = $this->user->id;
|
|
|
|
$history->date = date('Y-m-d H:i:s');
|
2019-07-17 20:16:19 +00:00
|
|
|
$history->site = $site;
|
2019-07-17 20:08:50 +00:00
|
|
|
$history->ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
$history->result = $result;
|
|
|
|
$history->save();
|
|
|
|
}
|
|
|
|
|
2019-07-17 20:16:19 +00:00
|
|
|
private function _sendResponse(Auth_OpenID_Server $server, Auth_OpenID_ServerResponse $response)
|
|
|
|
{
|
|
|
|
$this->_helper->layout->disableLayout();
|
|
|
|
$this->_helper->viewRenderer->setNeverRender(true);
|
|
|
|
|
|
|
|
$webresponse = $server->encodeResponse($response);
|
|
|
|
|
|
|
|
if ($webresponse->code != AUTH_OPENID_HTTP_OK) {
|
2019-07-17 20:19:00 +00:00
|
|
|
$this->_response->setRawHeader(sprintf("HTTP/1.1 %d ", $webresponse->code), true, $webresponse->code);
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
foreach ($webresponse->headers as $k => $v) {
|
2019-07-17 20:19:00 +00:00
|
|
|
if ($k == 'location') {
|
|
|
|
$this->_response->setRedirect($v);
|
|
|
|
} else {
|
|
|
|
$this->_response->setHeader($k, $v);
|
|
|
|
}
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:19:00 +00:00
|
|
|
$this->_response->setHeader('Connection', 'close');
|
2019-07-17 20:16:19 +00:00
|
|
|
|
2019-07-17 20:19:00 +00:00
|
|
|
$this->_response->appendBody($webresponse->body);
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
private function _getTrustRoot(Auth_OpenID_Request $request)
|
|
|
|
{
|
|
|
|
$trustRoot = $request->trust_root;
|
|
|
|
Zend_OpenId::normalizeUrl($trustRoot);
|
2019-07-17 20:16:19 +00:00
|
|
|
|
2019-07-17 20:31:04 +00:00
|
|
|
return $trustRoot;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function _hasSreg(Auth_OpenID_Request $request)
|
2019-07-17 20:16:19 +00:00
|
|
|
{
|
2019-07-17 20:31:04 +00:00
|
|
|
// The class Auth_OpenID_SRegRequest is included in the following file
|
|
|
|
require_once 'libs/Auth/OpenID/SReg.php';
|
|
|
|
|
|
|
|
$sregRequest = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
|
|
|
|
$props = $sregRequest->allRequestedFields();
|
|
|
|
|
|
|
|
return (is_array($props) && count($props) > 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
private function _processPape(Auth_OpenID_PAPE_Request $papeRequest, $response)
|
|
|
|
{
|
|
|
|
if (($image = $this->user->getImage()) && @$_COOKIE['image']) {
|
|
|
|
$cidSupportedPolicies = array(PAPE_AUTH_PHISHING_RESISTANT);
|
|
|
|
if ($RPPreferredTypes = $papeRequest->preferredTypes($cidSupportedPolicies)) {
|
|
|
|
$this->user->getLastLoginUtc();
|
|
|
|
$papeResponse = new Auth_OpenID_PAPE_Response(
|
|
|
|
$cidSupportedPolicies,
|
|
|
|
$this->user->getLastLoginUtc()
|
|
|
|
);
|
|
|
|
$papeResponse->toMessage($response->fields);
|
2019-07-17 20:16:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-07-17 20:08:50 +00:00
|
|
|
}
|